14 DAY TRIAL // Researchers from Sucuri Security, a company running a web integrity monitoring service, warn that a number of websites hosted at Go Daddy have had malicious code injected into their pages.
All infected sites had base64-encoded JavaScript added to all of their PHP files. The rogue scripting decodes to a <script> element, which loads content from a third-party domain.
The external code redirects visitors to a scareware distribution website, which mimics an antivirus scan and displays fake warnings about infections on their computers.
The goal of this scam is to trick users to buy licenses for a useless application, which claims to be able to clean malware, that wasn't even there to begin with.
"What’s interesting is that the domain is registered by the same people responsible for the previous attacks at Godaddy, Bluehost, etc: Hillary Kneber," writes Sucuri researcher David Dede.
The company provides a generic website clean-up script, which according to some comments worked for removing this latest infection.
However, if you're amongst the affected website owners, you should check first with Go Daddy, as they might already a solution to this attack.
"Go Daddy's Security team quickly identified the source of this afternoon's PHP exploit and expects to have the approximately 150 affected sites restored shortly.
"We are continuing to monitor for any related activity and appreciate customer feedback," Todd Redfoot, Go Daddy's chief information security officer, said.
It's unlikely that Go Daddy's own infrastructure is at fault for this mass compromise. The reason why all infected sites are at hosted in the same place is because attackers first scan the IP space of big hosting providers, to build lists of vulnerable websites and then they attack them en masse.
Other companies like Network Solutions, Bluehost or media temple, also had to deal with similar incidents in the past; some of them even repeatedly.